Intrepidus Group is proud to sponsor BSidesROC for the fourth year in a row. The event is a free conference put on by local hackers, featuring presentations given by security industry experts from around the world. It is designed to to facilitate interaction, foster professional networking, and help bridge the gap between skilled security professionals and employers seeking to hire them. In addition, the conference provides security related games, challenges, and activities.

Last Saturday (January 28), I presented an updated talk on Apple’s iOS MDM system at ShmooCon 8. I had a great time, and really enjoyed all the questions and nice comments I received afterwards. I thought I’d mention a couple of the changes that iOS 5 provide.

First, the devices support some additional restrictions and controls. These controls should be available in most commercial MDM solutions, and can also be found in the iPhone Configuration Utility (IPCU). Among these new controls are the ability to:

I’ve updated my experimental MDM server to support most of these features. I’ve also added some better documentation for the server code, and scripts to help create the necessary server and CA certificates.

Slides from the presentation, as well as the code and the Black Hat white paper and slides, are all available at Github. Enjoy!

1 – Create new AppID that looks like “com.apple.mgmt.COMPANY.PRODUCT_NAME” (this is not very clear from README).
2 – Intall web.py (not easy step but this is general question, not mdm related)
3 – Perform other steps from README, server address is ip-address.
4 – Update SSL config strings in server.py to avoid warning at start:

Hey, first, thanks for that update to the CherryPy configuration. Those errors thrown the first time a client connected were annoying, but not so annoying that I ever looked into fixing it.

As for the problems you’re having… The notifications you copied in step 7 are normal (or at least, I see them too). Are you successfully enrolling? That is, does the server show response of Authenticate and TokenUpdate commands? I’m assuming it did, and that you’re using the device token in the “normal” push notification you sent in step 9.

Problem is, if step 9 is working (that is, if the message is at least getting to the client), then you’ve got APNS service working. Unless the test message sent in 9 is from a different network than what your test server is running on? For example, if you use an online service to test the push notification… In that case, I’d look into whether local network rules are preventing the outbound connection to Apple’s APNS servers.

You can try sending the proper MDM-formatted push message via whatever system you used in step 9, if it’ll allow you to create the right message (which it might not). I simply added the “{‘mdm’:’<pushmagic token>’}” property to a normal message, which gives an error on the device because of the extraneous “aps:” dict, but the mdm daemon processes the command anyway.

That’s all I can think of at the moment, that the push message simply isn’t getting from your sever to Apple’s servers, or perhaps if it is, the push cert might not be correct.

Hello.
I have use your advice about manual MDM-formatted push message and it work. If I send push notification ["aps":{"alert":"My first push notification!","sound":"default"},"mdm":"A0433A31-2B0B-41FD-B79B-002F8C1A28D7"] when device connect to server and perform action (lock at least, don’t test another yet). So problem is with MDM-push-notification part of server.
I have send request to join enterprise program but doubt I’m already accepted. So this mean even with developer profile you are able to implement MDM :).
I will try to investigate why server from post doesn’t work fine. If server’s code have some error and I’ll find it – I’ll post here.
Thanks for help.

I found why device don’t receive notification from server. I testing with developer provisioning profile, so must use gateway.sandbox.push.apple.com as notification server. But server was configured to use gateway.push.apple.com. To use sandbox I’m changed APNSNotificationWrapper param: “wrapper = APNSNotificationWrapper(‘PushCert.pem’, True)” It was False.

Ah! good catch. I thought developer push certs could use either server, but that they should use the sandbox when testing. Or perhaps that’s just how you created the certificate in the first place. I’ll try to make a note of that, it might trip up someone else too.

Hi david_schuetz,
I met the same error which Van mentioned.
After the device enrolled, I can send mdm command to the device and get response from it.
However, when I tried to send normal apns message to device such as {“aps”,{“alert”:”Hello”}}, I got error from iPCU console:
=======================================
<Notice>: (Error) MDM: Rejecting MDM push dictionary because it does not contain the “mdm” key
=======================================
After that I add the mdm key with push magic, it shew the “MDM: Ignoring extra keys in push dictionary” warning.
Then I confused if the mdm framework supports the normal apns message(not contain “mdm” key) or not?
Many thanks.

Ideally, the MDM push message should not contain an “aps” key, but only the “mdm” key. However, the APNS library I used doesn’t let you send such a message (though it can easily be modified to do so). The “ignoring extra keys” warning shouldn’t affect anything.

You can’t use the MDM push enrollment to send “normal” APNS messages to the device (like the alert you describe above). To do that you’ll need to send to another client designed to accept such alerts.

Hi, I tried sending an InstallApplication command, the device receives it, prompt for installation and fails silently without nothing happening, sending a ManagedApplicationList command after a while shows the app with a status of failed. Tried with both a custom app and itunes free app.